Hello Bob and all,
Thanks for all the nice comments!
>Just to throw something into this that I don't think anyone has mentioned
>yet. What if you skipped the rpm database all together and run the verify
>against the original RPM from RedHat? For example, "rpm -Vp somefile.rpm"?
Well, it makes sense to keep my original purpose in mind. I need the
functionality to be able to foil casual attackers against the honeypot
(where I replace /bin/rm with my varian of /bin/mv). I highly doubt
verification vs RedHat.com will be done by those people.
BTW, I am fully aware of LKM rootkits and researching using one of those
for the honeypot. However, I still try to stick with Honeynet project
philosophy of minimum modification to a system. There is a bunch of ways
to trojan Linux system up to and including writing a new OS that looks
just like Linux from the command prompt ;-)~
Best regards,
--
Anton A. Chuvakin, Ph.D.
http://www.chuvakin.org
http://www.info-secure.org
